AWS Got Bombed: When Cloud Infrastructure Becomes a Military Target

On March 1, Iranian drones struck three Amazon Web Services facilities across the UAE and Bahrain. The IRGC claimed responsibility explicitly, citing the data centers' role in supporting US military and intelligence networks. Two of three availability zones in UAE's ME-CENTRAL-1 region were taken offline. One zone in Bahrain's ME-SOUTH-1 region was destroyed. AWS confirmed structural damage, power disruption, fire, and water damage from suppression systems.

On March 24, Iran hit the Bahrain AWS facility again. Amazon confirmed disruptions and began transferring workloads to other regions. Two strikes on the same target in 24 days.

This has never happened before. Not in any war, anywhere. Cloud data centers, the infrastructure that runs global banking, logistics, communications, and increasingly military command systems, have been deliberately targeted by a state military for the first time in history.

Why did Iran target data centers?

The IRGC's reasoning was stated openly. On March 11, they published a target list naming Google, Microsoft, Palantir, IBM, Nvidia, and Oracle as potential targets for strikes on "economic centres and banks" related to US and Israeli entities. The list wasn't leaked. It was announced.

The logic is military-economic hybrid targeting. AWS hosts CENTCOM logistics systems, intelligence processing pipelines, and communications infrastructure across the Gulf. The CIA's classified cloud contract, Commercial Cloud Enterprise (C2E), split between AWS, Microsoft, Google, Oracle, and IBM, runs through exactly these facilities. Hitting AWS in Bahrain doesn't just disrupt Amazon's commercial customers. It degrades the digital backbone of the US military presence in the Gulf.

But the cascading effects hit civilian infrastructure harder than military. The March 1 strikes knocked out banking payment systems across the UAE. ATMs failed. Digital transactions froze. Logistics platforms that manage port operations in Dubai and Abu Dhabi went dark. The insurance industry, already driving Hormuz closure through war risk premiums, relies on cloud-based underwriting systems that were disrupted.

Gulf states devote over half their desalinated water production to industrial use, including cooling for data centers. The water-data center nexus creates a double vulnerability: hit the desalination plant, and the data center loses cooling water. Hit the data center, and the payment systems that manage emergency water distribution collapse. Each failure amplifies the other.

How exposed is the Gulf's digital infrastructure?

Extraordinarily. The Gulf's cloud buildout over the past five years concentrated critical infrastructure in a small number of facilities within Iranian missile range. AWS has two Gulf regions (UAE and Bahrain). Microsoft Azure has a UAE region. Google Cloud has a Doha region. Oracle has facilities across the GCC. All were built for commercial advantage (proximity to customers, favorable tax regimes, submarine cable connectivity) not for military resilience.

The submarine cables matter. Sixteen undersea fiber-optic cables transit the Red Sea and Persian Gulf, carrying approximately 90% of Europe-Asia data traffic. These cables land at shore stations in Egypt, Saudi Arabia, the UAE, and Oman, all within the war zone. Red Sea cables were cut in September 2025. The Houthi card being held in reserve includes the implicit threat to Bab el-Mandeb's cable infrastructure. Dual chokepoint closure wouldn't just block oil tankers. It would sever the digital connections that the global economy runs on.

The concentration risk is staggering. A coordinated strike on 4-5 cable landing stations and 3-4 major data center facilities could disconnect the Gulf's digital economy entirely. The financial sector, the logistics sector, the government services that rely on cloud infrastructure, all running on facilities that were built without considering they might be bombed.

What does this mean for the cloud industry?

The nearly $1 trillion global cloud industry just discovered that "the cloud" has a physical address. And that address can be hit by a $50,000 drone.

AWS's response has been to transfer workloads and announce infrastructure hardening. But the fundamental problem is architectural: cloud regions are designed for redundancy against power failures and natural disasters, not against military strikes. The three-availability-zone model assumes independent failure domains, meaning a power outage in one zone shouldn't affect another. A military campaign that deliberately targets all zones simultaneously breaks this assumption entirely.

The insurance implications are immediate. Lloyd's and major reinsurers are already reassessing war risk coverage for Gulf data center facilities. Cloud service agreements, the contracts that promise 99.99% uptime, contain force majeure clauses that exempt acts of war. Every company that relied on Gulf cloud infrastructure for critical operations just learned that their business continuity plan had a state-sized hole in it.

Russia profits from oil disruption. It may also profit from the cloud disruption. Russia's own cloud infrastructure, isolated from Western markets by sanctions, becomes relatively more attractive to non-aligned customers seeking facilities outside active war zones.

The defense establishment is recalculating. The assumption that cloud infrastructure could serve both military and commercial purposes in forward-deployed regions (the entire premise of the C2E contract model) is being questioned. You cannot simultaneously run CIA intelligence processing and Dubai's banking system through the same facility and expect both to survive a war. The dual-use model worked in peacetime. It failed on March 1.

---

FAQ

Will cloud providers leave the Gulf?

Not immediately. The commercial opportunity is too large. But expect hardened facilities, geographic diversification, and military-grade physical security at premium prices. The Gulf buildout will continue but the cost basis just changed permanently. The $50,000 drone that hit a $500 million data center proved that physical security is now a competitive differentiator, not an afterthought.

Could Iran target undersea cables instead?

Yes, and this may be the more dangerous threat. Cables are undefended, mapped in public databases, and repairable only by specialized ships with weeks-long deployment timelines. The September 2025 Red Sea cable cuts, attributed to anchor damage but suspected Houthi involvement, disrupted traffic for months. Deliberate cable cutting in the Persian Gulf would be harder to repair in a war zone and would affect not just the Gulf but global data routing.

Is US military cloud infrastructure at risk?

The C2E contract distributes military workloads across AWS, Azure, Google Cloud, and Oracle, with classified processing theoretically in separate, hardened facilities. But the support infrastructure (power, cooling, fiber connectivity) is shared with commercial facilities. The March 1 strikes showed that commercial and military infrastructure in the same region share vulnerabilities even when logically separated. The Pentagon is reportedly accelerating plans to move critical Gulf workloads to Sigonella (Sicily) and Diego Garcia.